| .TH F2FSCRYPT 8 |
| .SH NAME |
| f2fscrypt \- f2fs filesystem encryption utility |
| .SH SYNOPSIS |
| .B f2fscrypt add_key -S \fR[\fB -k \fIkeyring\fR ] [\fB-v\fR] [\fB-q\fR] [ \fI path\fR ... ] |
| .br |
| .B f2fscrypt new_session |
| .br |
| .B f2fscrypt get_policy \fIpath\fR ... |
| .br |
| .B f2fscrypt set_policy \fIpolicy path\fR ... |
| .SH DESCRIPTION |
| .B f2fscrypt |
| performs encryption management for f2fs file systems. |
| .SH COMMANDS |
| .TP |
| .B f2fscrypt add_key -S \fR[\fB -k \fIkeyring\fR ] [\fB-v\fR] [\fB-q\fR] [ \fI path\fR ... ] |
| Prompts the user for a passphrase and inserts it into the specified |
| keyring. If no keyring is specified, f2fscrypt will use the session |
| keyring if it exists or the user session keyring if it does not. |
| .IP |
| If one or more directory paths are specified, f2fscrypt will try to |
| set the policy of those directories to use the key just entered by |
| the user. |
| .TP |
| .B f2fscrypt get_policy \fIpath\fR ... |
| Print the policy for the directories specified on the command line. |
| .TP |
| .B f2fscrypt new_session |
| Give the invoking process (typically a shell) a new session keyring, |
| discarding its old session keyring. |
| .TP |
| .B f2fscrypt set_policy \fIpolicy path\fR ... |
| Sets the policy for the directories specified on the command line. |
| All directories must be empty to set the policy; if the directory |
| already has a policy established, f2fscrypt will validate that the |
| policy matches what was specified. A policy is an encryption key |
| identifier consisting of 16 hexadecimal characters. |
| .SH NOTES |
| The target directory must be empty. |
| .SH EXAMPLE |
| .nf |
| Formats a f2fs filesytem that supports encrypt. |
| |
| .ft R |
| # mkfs.f2fs -O encrypt /dev/sdxx |
| # mount /dev/sdxx /encrypted/ |
| # mkdir /encrypted/dir |
| |
| .nf |
| First create the key in the keyring use an simple salt |
| (or generate a random salt). |
| Then use it to set the policy for the directory to be encrypted. |
| |
| .ft R |
| # f2fscrypt add_key -S 0x1234 |
| Enter passphrase (echo disabled): |
| Added key with descriptor [28e21cc0c4393da1] |
| |
| # f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dir |
| Key with descriptor [28e21cc0c4393da1] applied to /encrypted/dir. |
| |
| # touch /encrypted/dir/test.txt |
| # ls -l /encrypted/dir/ |
| -rw-r--r--. 1 root root 0 Mar 5 21:41 test.txt |
| |
| .nf |
| After each reboot, the same command can be used set the key for |
| decryption of the directory and its descendants. |
| |
| .ft R |
| # ls -l /encrypted/dir/ |
| -rw-r--r--. 1 root root 0 Mar 5 21:41 zbx7tsUEMLzh+AUVMkQcnB |
| |
| # f2fscrypt get_policy /encrypted/dir/ |
| /encrypted/dir/: 28e21cc0c4393da1 |
| |
| # f2fscrypt add_key -S 0x1234 |
| Enter passphrase (echo disabled): |
| Added key with descriptor [28e21cc0c4393da1] |
| |
| # ls -l /encrypted/dir/ |
| -rw-r--r--. 1 root root 0 Mar 5 21:41 test.txt |
| |
| .nf |
| Show process keyrings. |
| |
| .ft R |
| # keyctl show |
| Session Keyring |
| 84022412 --alswrv 0 0 keyring: _ses |
| 204615789 --alswrv 0 65534 \\_ keyring: _uid.0 |
| 529474961 --alsw-v 0 0 \\_ logon: f2fs:28e21cc0c4393da1 |
| |
| .SH AUTHOR |
| Written by Kinglong Mee <kinglongmee@gmail.com>, |
| Migrated from e4crypt that Written by Michael Halcrow <mhalcrow@google.com>, |
| Ildar Muslukhov <muslukhovi@gmail.com>, and Theodore Ts'o <tytso@mit.edu> |
| .SH SEE ALSO |
| .BR keyctl (1), |
| .BR mkfs.f2fs (8), |
| .BR mount (8). |
